MicrosoftDocs
diff --git a/‎learn-pr/advocates/top-5-security-items-to-consider/includes/2-azure-security-center.md
Lines changed: 9 additions & 9 deletions b/‎learn-pr/advocates/top-5-security-items-to-consider/includes/2-azure-security-center.md
Lines changed: 9 additions & 9 deletions
diff --git a/‎learn-pr/advocates/top-5-security-items-to-consider/includes/3-inputs-and-outputs.md
Lines changed: 9 additions & 9 deletions b/‎learn-pr/advocates/top-5-security-items-to-consider/includes/3-inputs-and-outputs.md
Lines changed: 9 additions & 9 deletions
diff --git a/‎learn-pr/advocates/top-5-security-items-to-consider/includes/4-secrets-in-key-vault.md
Lines changed: 2 additions & 2 deletions b/‎learn-pr/advocates/top-5-security-items-to-consider/includes/4-secrets-in-key-vault.md
Lines changed: 2 additions & 2 deletions
@@ -17,7 +17,7 @@ Defender for Cloud is part of the [Center for Internet Security](https://www.cis
 
 Microsoft Defender for Cloud provides unified security management and advanced threat protection for hybrid cloud workloads, and is offered in several plans. The Foundational Cloud Security Posture Management (CSPM) plan, which is free and activated by default provides security policies, assessments, and recommendations. The Defender CSPM plan provides a robust set of features, including threat intelligence. There are also plans for Servers, App Service, and more.
 
-Given the benefits of Defender for Cloud, the security team at your company has decided that it will be turned on for all subscriptions at your office. You got an email this morning to turn it on for your applications, so let's look at how to do that.
+Given the benefits of Defender for Cloud, your company's security team has decided to turn it on for all subscriptions at your office. You got an email this morning to turn it on for your applications, so let's look at how to do that.
 
 > [!IMPORTANT]
 > Microsoft Defender for Cloud is not supported in the free Azure sandbox. You can perform these steps in your own subscription, or just follow along to understand how to activate Defender for Cloud.
@@ -26,7 +26,7 @@ Given the benefits of Defender for Cloud, the security team at your company has
 
    ![Screenshot showing the All services pane with Defender for Cloud highlighted.](../media/2-ASC-Menu.png)
 
-1. If you've never opened Defender for Cloud, the pane will start on the **Getting started** entry which might ask you to upgrade your subscription. Ignore that for now; select **Skip** at the bottom of the page, then select **Overview**.
+1. If you've never opened Defender for Cloud, the pane starts on the **Getting started** entry, which might ask you to upgrade your subscription. Ignore that for now; select **Skip** at the bottom of the page, then select **Overview**.
     - This will display the "big security picture" across all the elements available in your subscription.
     - This has a ton of great information you can explore.
 
@@ -36,7 +36,7 @@ Given the benefits of Defender for Cloud, the security team at your company has
 
 ### Foundational CSPM vs. Defender CSPM pricing tier
 
-While you can use a free Azure subscription tier with Defender for Cloud, it's limited to assessments and recommendations of Azure resources only. To really leverage Defender for Cloud, you will need to upgrade to a Defender CSPM subscription as shown previously. You can upgrade your subscription through the **Upgrade** button on the **Getting Started** pane in the Defender for Cloud menu, which will walk you through changing your subscription level. The pricing and features may change based on the region, you can get a full overview on the [pricing page](https://azure.microsoft.com/pricing/details/security-center/).
+Although you can use a free Azure subscription tier with Defender for Cloud, it's limited to assessments and recommendations of Azure resources only. To really leverage Defender for Cloud, you'll need to upgrade to a Defender CSPM subscription as shown previously. You can upgrade your subscription through the **Upgrade** button on the **Getting Started** pane in the Defender for Cloud menu, which will walk you through changing your subscription level. The pricing and features might change based on the region; you can get a full overview on the [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/).
 
 > [!NOTE]
 > To upgrade a subscription to the Defender CSPM tier, you must be assigned the role of Subscription Owner, Subscription Contributor, or Security Admin.
@@ -46,22 +46,22 @@ While you can use a free Azure subscription tier with Defender for Cloud, it's l
 
 ## Turning off Microsoft Defender for Cloud
 
-For production systems, you definitely want to keep Microsoft Defender for Cloud turned on so it can monitor all your resources for threats. However, if you're just playing with Defender for Cloud and turned it on, you will likely want to disable it to ensure you're not charged. Let's do that now.
+For production systems, you definitely want to keep Microsoft Defender for Cloud turned on so it can monitor all your resources for threats. However, if you're just playing with Defender for Cloud and turned it on, you'll likely want to disable it to ensure you're not charged. Let's do that now.
 
 1. Open the [Azure portal](https://portal.azure.com?azure-portal=true) and select **Microsoft Defender for Cloud** from the left-hand menu. If you don't see it there, you can select **All services** and find **Microsoft Defender for Cloud** in the security section as shown in the following image:
 
     ![Screenshot showing the All services pane with Defender for Cloud highlighted.](../media/2-ASC-Menu.png)
 
-1. Select **Environment settings** from the left-hand menu.
+1. Select **Environment settings** under **Management** in the left-hand menu.
 
-1. Next, select the ellipses next to the subscription for which you want to downgrade, then select **Edit settings**.
+1. Next, select the ellipses next to the subscription you want to downgrade, then select **Edit settings**.
 
 1. A new page will appear that looks like the image below. Toggle the **Defender CSPM** plan to **Off**.
 
     ![Screenshot showing Foundational CSPM and Defender CSPM options.](../media/2-Pricing-Tier.png)
 
-1. Press the **Save** button at the top of the screen.
+1. Select the **Save** button at the top of the screen.
 
-You have now downgraded your subscription to the free tier of Microsoft Defender for Cloud.
+You've now downgraded your subscription to the free tier of Microsoft Defender for Cloud.
 
-Congratulations, you have taken your first (and most important) step to securing your application, data and network!
+Congratulations, you've taken your first (and most important) step to securing your application, data and network!
@@ -1,20 +1,20 @@
-The most prevalent security weakness of current applications is a failure to correctly process data that is received from external sources, particularly _user input_. You should always take a close look at any input to make sure it has been validated before it is used. Failing to analyze user input for possible attacks can result in data loss or exposure, elevation of privilege, or even execution of malicious code on other users' computers.
+The most prevalent security weakness of current applications is a failure to correctly process data received from external sources, particularly _user input_. You should always take a close look at any input to make sure it's been validated before it's used. Failing to analyze user input for possible attacks can result in data loss or exposure, elevation of privilege, or even execution of malicious code on other users' computers.
 
-The tragedy in this situation is that this scenario an easy problem to solve. In this unit we'll cover how to treat data when it's received, when it's displayed on the screen, and when it's stored for later use.
+The tragedy in this situation is that this scenario an easy problem to solve. In this unit, we cover how to treat data when it's received, when it's displayed on the screen, and when it's stored for later use.
 
 ## Why do we need to validate our input?
 
-Imagine that you're building an interface to allow a user to create an account on your website. Our profile data includes a name, email, and a nickname that we'll display to everyone who visits the site. What if a new user creates a profile and enters a nickname that includes some SQL commands? For example, what if a malicious user enters something like the following excerpt:
+Imagine that you're building an interface to allow a user to create an account on your website. Our profile data includes a name, email, and a nickname that we'll display to everyone who visits the site. What if a new user creates a profile and enters a nickname that includes some SQL commands? For example, what if a malicious user enters something like the following:
 
 ```sql
 Eve'); DROP TABLE Users;--
 ```
 
-If we blindly insert this value into a database, it could potentially alter the SQL statement to execute commands we absolutely don't want to run! This example is referred to as a "SQL Injection" attack, which is one of the _many_ types of exploits that can potentially be done when you don't properly handle user input. So, what can we do to fix this situation? This unit will teach you when to validate input, how to encode output, and how to create parameterized queries (which solves the above exploit). These techniques are the three main defense techniques against malicious input being entered into your applications.
+If we blindly insert this value into a database, it could potentially alter the SQL statement to execute commands we absolutely don't want to run! This example is referred to as a _SQL Injection_ attack, which is one of the _many_ types of exploits that can potentially happen when you don't properly handle user input. So, what can we do to fix this situation? This unit teaches you when to validate input, how to encode output, and how to create parameterized queries (which solves the above exploit). These techniques are the three main defense techniques against malicious input being entered into your applications.
 
 ## When do I need to validate input?
 
-The answer is _always_. You must validate **every** input for your application. This includes parameters in the URL, input from the user, data from the database, data from an API, and anything that is passed in the clear that a user could potentially manipulate. Always use an _allowlist_ approach, which means you only accept "known good" input, instead of a _blocklist_ (where you specifically look for bad input) because it's impossible to think of a complete list of potentially dangerous input. Do this work on the server, not the client side (or in addition to the client side), to ensure that your defenses can't be circumvented. Treat **ALL** data as untrusted, and you'll protect yourself from most of the common web app vulnerabilities.
+The answer is _always_. You must validate **every** input for your application. This includes parameters in the URL, input from the user, data from the database, data from an API, and anything that's passed in the clear that a user could potentially manipulate. Always use an _allowlist_ approach, which means you only accept "known good" input, instead of a _blocklist_ (where you specifically look for bad input) because it's impossible to think of a complete list of potentially dangerous input. Do this work on the server, not the client side (or in addition to the client side), to ensure that your defenses can't be circumvented. Treat **ALL** data as untrusted, and you'll protect yourself from most of the common web app vulnerabilities.
 
 If you're using ASP.NET, the framework provides [great support for validating input](/aspnet/web-pages/overview/ui-layouts-and-themes/validating-user-input-in-aspnet-web-pages-sites) on both the client and server side.
 
@@ -32,7 +32,7 @@ string userName = Request.QueryString["username"]; // receive input from the use
 string query = "SELECT *  FROM  [dbo].[users] WHERE userName = '" + userName + "'";
 ```
 
-Here we concatenate text strings together to create the query, taking the input from the user and generating a dynamic SQL query to look up the user. Again, if a malicious user realized we were doing this, or just _tried_ different input styles to see if there was a vulnerability, we could end up with a major disaster. Instead, use parameterized SQL statements or stored procedures such as this:
+Here, we concatenate text strings together to create the query, taking the input from the user and generating a dynamic SQL query to look up the user. Again, if a malicious user realized we were doing this, or just _tried_ different input styles to see if there was a vulnerability, we could end up with a major disaster. Instead, use parameterized SQL statements or stored procedures such as this:
 
 ```sql
 -- Lookup a user
@@ -48,10 +48,10 @@ With this method, you can invoke the procedure from your code safely, passing it
 
 ## Always encode your output
 
-Any output you present either visually or within a document should always be encoded and escaped. This can protect you in case something was missed in the sanitization pass or the code accidentally generates something that can be used maliciously. This design principle will make sure that everything is displayed as _output_ and not inadvertently interpreted as something that should be executed, which is another common attack technique that is referred to as "Cross-Site Scripting" (XSS).
+Any output you present either visually or within a document should always be encoded and escaped. This can protect you in case something was missed in the sanitization pass or the code accidentally generates something that can be used maliciously. This design principle makes sure that everything is displayed as _output_ and not inadvertently interpreted as something that should be executed, which is another common attack technique that's referred to as _Cross-Site Scripting_ (XSS).
 
-Since XSS prevention is a common application requirement, this security technique is another area where ASP.NET will do the work for you. By default, all output is already encoded. If you're using another web framework, you can verify your options for output encoding on websites with the [OWASP XSS Prevention Cheatsheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).
+Because XSS prevention is a common application requirement, this security technique is another area where ASP.NET does the work for you. By default, all output is already encoded. If you're using another web framework, you can verify your options for output encoding on websites with the [OWASP XSS Prevention Cheatsheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).
 
 ## Summary
 
-Sanitizing and validating your input is a necessary requirement to ensure your input is valid and safe to use and store. Most modern web frameworks offer built-in features that can automate some of this work. You can check your preferred framework's documentation and see what features it offers. While web applications are the most common place where this happens, keep in mind that other types of applications can be just as vulnerable. Don't think you're safe just because your new application is a desktop app. You'll still need to properly handle user input to ensure someone doesn't use your app to corrupt your data or damage your company's reputation.
+Sanitizing and validating your input is a necessary requirement to ensure your input is valid and safe to use and store. Most modern web frameworks offer built-in features that can automate some of this work. You can check your preferred framework's documentation and see what features it offers. Although web applications are the most common place where this happens, keep in mind that other types of applications can be just as vulnerable. Don't think you're safe just because your new application is a desktop app. You'll still need to properly handle user input to ensure someone doesn't use your app to corrupt your data or damage your company's reputation.
@@ -2,7 +2,7 @@ Secrets aren't secrets if they're shared with everyone. Storing confidential ite
 
 Instead, you should always put these secrets into **Azure Key Vault**.
 
-## What is Azure Key Vault
+## What is Azure Key Vault?
 
 Azure Key Vault is a *secret store*: a centralized cloud service for storing application secrets. Key Vault keeps your confidential data safe by keeping application secrets in a single central location and providing secure access, permissions control, and access logging.
 
@@ -15,7 +15,7 @@ Secrets are stored in individual *vaults*, each with their own configuration and
 
 ## Why use a Key Vault for my secrets
 
-Key management and storing secrets can be complicated and error-prone when performed manually. Rotating certificates manually means potentially going without for a few hours or days. As mentioned above, saving your connections strings in your configuration file or code repository means someone could steal your credentials.
+Key management and storing secrets can be complicated and error-prone when performed manually. Rotating certificates manually means potentially going without for a few hours or days. As mentioned previously, saving your connections strings in your configuration file or code repository means someone could steal your credentials.
 
 Key Vault allows users to store connection strings, secrets, passwords, certificates, access policies, file locks (making items in Azure read-only), and automation scripts. It also logs access and activity and allows you to monitor access control (IAM) in your subscription. It also has diagnostics, metrics, alerts, and troubleshooting tools to ensure you have the access you need.